@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/webapi/lib/content_encryption.js

@@ -0,0 +1,217 @@
+import { concat, uint64be } from './buffer_utils.js';
+import { checkEncCryptoKey } from './crypto_key.js';
+import { invalidKeyInput } from './invalid_key_input.js';
+import { JOSENotSupported, JWEDecryptionFailed, JWEInvalid } from '../util/errors.js';
+import { isCryptoKey } from './is_key_like.js';
+export function cekLength(alg) {
+    switch (alg) {
+        case 'A128GCM':
+            return 128;
+        case 'A192GCM':
+            return 192;
+        case 'A256GCM':
+        case 'A128CBC-HS256':
+            return 256;
+        case 'A192CBC-HS384':
+            return 384;
+        case 'A256CBC-HS512':
+            return 512;
+        default:
+            throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+    }
+}
+export const generateCek = (alg) => crypto.getRandomValues(new Uint8Array(cekLength(alg) >> 3));
+function checkCekLength(cek, expected) {
+    const actual = cek.byteLength << 3;
+    if (actual !== expected) {
+        throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
+    }
+}
+function ivBitLength(alg) {
+    switch (alg) {
+        case 'A128GCM':
+        case 'A128GCMKW':
+        case 'A192GCM':
+        case 'A192GCMKW':
+        case 'A256GCM':
+        case 'A256GCMKW':
+            return 96;
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            return 128;
+        default:
+            throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+    }
+}
+export const generateIv = (alg) => crypto.getRandomValues(new Uint8Array(ivBitLength(alg) >> 3));
+export function checkIvLength(enc, iv) {
+    if (iv.length << 3 !== ivBitLength(enc)) {
+        throw new JWEInvalid('Invalid Initialization Vector length');
+    }
+}
+async function cbcKeySetup(enc, cek, usage) {
+    if (!(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'Uint8Array'));
+    }
+    const keySize = parseInt(enc.slice(1, 4), 10);
+    const encKey = await crypto.subtle.importKey('raw', cek.subarray(keySize >> 3), 'AES-CBC', false, [usage]);
+    const macKey = await crypto.subtle.importKey('raw', cek.subarray(0, keySize >> 3), {
+        hash: `SHA-${keySize << 1}`,
+        name: 'HMAC',
+    }, false, ['sign']);
+    return { encKey, macKey, keySize };
+}
+async function cbcHmacTag(macKey, macData, keySize) {
+    return new Uint8Array((await crypto.subtle.sign('HMAC', macKey, macData)).slice(0, keySize >> 3));
+}
+async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
+    const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, 'encrypt');
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+        iv: iv,
+        name: 'AES-CBC',
+    }, encKey, plaintext));
+    const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+    const tag = await cbcHmacTag(macKey, macData, keySize);
+    return { ciphertext, tag, iv };
+}
+async function timingSafeEqual(a, b) {
+    if (!(a instanceof Uint8Array)) {
+        throw new TypeError('First argument must be a buffer');
+    }
+    if (!(b instanceof Uint8Array)) {
+        throw new TypeError('Second argument must be a buffer');
+    }
+    const algorithm = { name: 'HMAC', hash: 'SHA-256' };
+    const key = (await crypto.subtle.generateKey(algorithm, false, ['sign']));
+    const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
+    const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
+    let out = 0;
+    let i = -1;
+    while (++i < 32) {
+        out |= aHmac[i] ^ bHmac[i];
+    }
+    return out === 0;
+}
+async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+    const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, 'decrypt');
+    const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+    const expectedTag = await cbcHmacTag(macKey, macData, keySize);
+    let macCheckPassed;
+    try {
+        macCheckPassed = await timingSafeEqual(tag, expectedTag);
+    }
+    catch {
+    }
+    if (!macCheckPassed) {
+        throw new JWEDecryptionFailed();
+    }
+    let plaintext;
+    try {
+        plaintext = new Uint8Array(await crypto.subtle.decrypt({ iv: iv, name: 'AES-CBC' }, encKey, ciphertext));
+    }
+    catch {
+    }
+    if (!plaintext) {
+        throw new JWEDecryptionFailed();
+    }
+    return plaintext;
+}
+async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
+    let encKey;
+    if (cek instanceof Uint8Array) {
+        encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['encrypt']);
+    }
+    else {
+        checkEncCryptoKey(cek, enc, 'encrypt');
+        encKey = cek;
+    }
+    const encrypted = new Uint8Array(await crypto.subtle.encrypt({
+        additionalData: aad,
+        iv: iv,
+        name: 'AES-GCM',
+        tagLength: 128,
+    }, encKey, plaintext));
+    const tag = encrypted.slice(-16);
+    const ciphertext = encrypted.slice(0, -16);
+    return { ciphertext, tag, iv };
+}
+async function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+    let encKey;
+    if (cek instanceof Uint8Array) {
+        encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['decrypt']);
+    }
+    else {
+        checkEncCryptoKey(cek, enc, 'decrypt');
+        encKey = cek;
+    }
+    try {
+        return new Uint8Array(await crypto.subtle.decrypt({
+            additionalData: aad,
+            iv: iv,
+            name: 'AES-GCM',
+            tagLength: 128,
+        }, encKey, concat(ciphertext, tag)));
+    }
+    catch {
+        throw new JWEDecryptionFailed();
+    }
+}
+const unsupportedEnc = 'Unsupported JWE Content Encryption Algorithm';
+export async function encrypt(enc, plaintext, cek, iv, aad) {
+    if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'CryptoKey', 'KeyObject', 'Uint8Array', 'JSON Web Key'));
+    }
+    if (iv) {
+        checkIvLength(enc, iv);
+    }
+    else {
+        iv = generateIv(enc);
+    }
+    switch (enc) {
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            if (cek instanceof Uint8Array) {
+                checkCekLength(cek, parseInt(enc.slice(-3), 10));
+            }
+            return cbcEncrypt(enc, plaintext, cek, iv, aad);
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM':
+            if (cek instanceof Uint8Array) {
+                checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+            }
+            return gcmEncrypt(enc, plaintext, cek, iv, aad);
+        default:
+            throw new JOSENotSupported(unsupportedEnc);
+    }
+}
+export async function decrypt(enc, cek, ciphertext, iv, tag, aad) {
+    if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'CryptoKey', 'KeyObject', 'Uint8Array', 'JSON Web Key'));
+    }
+    if (!iv) {
+        throw new JWEInvalid('JWE Initialization Vector missing');
+    }
+    if (!tag) {
+        throw new JWEInvalid('JWE Authentication Tag missing');
+    }
+    checkIvLength(enc, iv);
+    switch (enc) {
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            if (cek instanceof Uint8Array)
+                checkCekLength(cek, parseInt(enc.slice(-3), 10));
+            return cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM':
+            if (cek instanceof Uint8Array)
+                checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+            return gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);
+        default:
+            throw new JOSENotSupported(unsupportedEnc);
+    }
+}

package/dist/node_modules/jose/dist/webapi/lib/crypto_key.js

@@ -0,0 +1,136 @@
+const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+const isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+    return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+    const actual = getHashLength(algorithm.hash);
+    if (actual !== expected)
+        throw unusable(`SHA-${expected}`, 'algorithm.hash');
+}
+function getNamedCurve(alg) {
+    switch (alg) {
+        case 'ES256':
+            return 'P-256';
+        case 'ES384':
+            return 'P-384';
+        case 'ES512':
+            return 'P-521';
+        default:
+            throw new Error('unreachable');
+    }
+}
+function checkUsage(key, usage) {
+    if (usage && !key.usages.includes(usage)) {
+        throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+    }
+}
+export function checkSigCryptoKey(key, alg, usage) {
+    switch (alg) {
+        case 'HS256':
+        case 'HS384':
+        case 'HS512': {
+            if (!isAlgorithm(key.algorithm, 'HMAC'))
+                throw unusable('HMAC');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+        case 'RS256':
+        case 'RS384':
+        case 'RS512': {
+            if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))
+                throw unusable('RSASSA-PKCS1-v1_5');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+        case 'PS256':
+        case 'PS384':
+        case 'PS512': {
+            if (!isAlgorithm(key.algorithm, 'RSA-PSS'))
+                throw unusable('RSA-PSS');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+        case 'Ed25519':
+        case 'EdDSA': {
+            if (!isAlgorithm(key.algorithm, 'Ed25519'))
+                throw unusable('Ed25519');
+            break;
+        }
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87': {
+            if (!isAlgorithm(key.algorithm, alg))
+                throw unusable(alg);
+            break;
+        }
+        case 'ES256':
+        case 'ES384':
+        case 'ES512': {
+            if (!isAlgorithm(key.algorithm, 'ECDSA'))
+                throw unusable('ECDSA');
+            const expected = getNamedCurve(alg);
+            const actual = key.algorithm.namedCurve;
+            if (actual !== expected)
+                throw unusable(expected, 'algorithm.namedCurve');
+            break;
+        }
+        default:
+            throw new TypeError('CryptoKey does not support this operation');
+    }
+    checkUsage(key, usage);
+}
+export function checkEncCryptoKey(key, alg, usage) {
+    switch (alg) {
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM': {
+            if (!isAlgorithm(key.algorithm, 'AES-GCM'))
+                throw unusable('AES-GCM');
+            const expected = parseInt(alg.slice(1, 4), 10);
+            const actual = key.algorithm.length;
+            if (actual !== expected)
+                throw unusable(expected, 'algorithm.length');
+            break;
+        }
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW': {
+            if (!isAlgorithm(key.algorithm, 'AES-KW'))
+                throw unusable('AES-KW');
+            const expected = parseInt(alg.slice(1, 4), 10);
+            const actual = key.algorithm.length;
+            if (actual !== expected)
+                throw unusable(expected, 'algorithm.length');
+            break;
+        }
+        case 'ECDH': {
+            switch (key.algorithm.name) {
+                case 'ECDH':
+                case 'X25519':
+                    break;
+                default:
+                    throw unusable('ECDH or X25519');
+            }
+            break;
+        }
+        case 'PBES2-HS256+A128KW':
+        case 'PBES2-HS384+A192KW':
+        case 'PBES2-HS512+A256KW':
+            if (!isAlgorithm(key.algorithm, 'PBKDF2'))
+                throw unusable('PBKDF2');
+            break;
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512': {
+            if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))
+                throw unusable('RSA-OAEP');
+            checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);
+            break;
+        }
+        default:
+            throw new TypeError('CryptoKey does not support this operation');
+    }
+    checkUsage(key, usage);
+}

package/dist/node_modules/jose/dist/webapi/lib/deflate.js

@@ -0,0 +1,44 @@
+import { JOSENotSupported, JWEInvalid } from '../util/errors.js';
+import { concat } from './buffer_utils.js';
+function supported(name) {
+    if (typeof globalThis[name] === 'undefined') {
+        throw new JOSENotSupported(`JWE "zip" (Compression Algorithm) Header Parameter requires the ${name} API.`);
+    }
+}
+export async function compress(input) {
+    supported('CompressionStream');
+    const cs = new CompressionStream('deflate-raw');
+    const writer = cs.writable.getWriter();
+    writer.write(input);
+    writer.close();
+    const chunks = [];
+    const reader = cs.readable.getReader();
+    for (;;) {
+        const { value, done } = await reader.read();
+        if (done)
+            break;
+        chunks.push(value);
+    }
+    return concat(...chunks);
+}
+export async function decompress(input, maxLength) {
+    supported('DecompressionStream');
+    const ds = new DecompressionStream('deflate-raw');
+    const writer = ds.writable.getWriter();
+    writer.write(input);
+    writer.close();
+    const chunks = [];
+    let length = 0;
+    const reader = ds.readable.getReader();
+    for (;;) {
+        const { value, done } = await reader.read();
+        if (done)
+            break;
+        chunks.push(value);
+        length += value.byteLength;
+        if (maxLength !== Infinity && length > maxLength) {
+            throw new JWEInvalid('Decompressed plaintext exceeded the configured limit');
+        }
+    }
+    return concat(...chunks);
+}

package/dist/node_modules/jose/dist/webapi/lib/ecdhes.js

@@ -0,0 +1,52 @@
+import { encode, concat, uint32be } from './buffer_utils.js';
+import { checkEncCryptoKey } from './crypto_key.js';
+import { digest } from './helpers.js';
+function lengthAndInput(input) {
+    return concat(uint32be(input.length), input);
+}
+async function concatKdf(Z, L, OtherInfo) {
+    const dkLen = L >> 3;
+    const hashLen = 32;
+    const reps = Math.ceil(dkLen / hashLen);
+    const dk = new Uint8Array(reps * hashLen);
+    for (let i = 1; i <= reps; i++) {
+        const hashInput = new Uint8Array(4 + Z.length + OtherInfo.length);
+        hashInput.set(uint32be(i), 0);
+        hashInput.set(Z, 4);
+        hashInput.set(OtherInfo, 4 + Z.length);
+        const hashResult = await digest('sha256', hashInput);
+        dk.set(hashResult, (i - 1) * hashLen);
+    }
+    return dk.slice(0, dkLen);
+}
+export async function deriveKey(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(), apv = new Uint8Array()) {
+    checkEncCryptoKey(publicKey, 'ECDH');
+    checkEncCryptoKey(privateKey, 'ECDH', 'deriveBits');
+    const algorithmID = lengthAndInput(encode(algorithm));
+    const partyUInfo = lengthAndInput(apu);
+    const partyVInfo = lengthAndInput(apv);
+    const suppPubInfo = uint32be(keyLength);
+    const suppPrivInfo = new Uint8Array();
+    const otherInfo = concat(algorithmID, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
+    const Z = new Uint8Array(await crypto.subtle.deriveBits({
+        name: publicKey.algorithm.name,
+        public: publicKey,
+    }, privateKey, getEcdhBitLength(publicKey)));
+    return concatKdf(Z, keyLength, otherInfo);
+}
+function getEcdhBitLength(publicKey) {
+    if (publicKey.algorithm.name === 'X25519') {
+        return 256;
+    }
+    return (Math.ceil(parseInt(publicKey.algorithm.namedCurve.slice(-3), 10) / 8) << 3);
+}
+export function allowed(key) {
+    switch (key.algorithm.namedCurve) {
+        case 'P-256':
+        case 'P-384':
+        case 'P-521':
+            return true;
+        default:
+            return key.algorithm.name === 'X25519';
+    }
+}

package/dist/node_modules/jose/dist/webapi/lib/helpers.js

@@ -0,0 +1,19 @@
+import { decode } from '../util/base64url.js';
+export const unprotected = Symbol();
+export function assertNotSet(value, name) {
+    if (value) {
+        throw new TypeError(`${name} can only be called once`);
+    }
+}
+export function decodeBase64url(value, label, ErrorClass) {
+    try {
+        return decode(value);
+    }
+    catch {
+        throw new ErrorClass(`Failed to base64url decode the ${label}`);
+    }
+}
+export async function digest(algorithm, data) {
+    const subtleDigest = `SHA-${algorithm.slice(-3)}`;
+    return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
+}

package/dist/node_modules/jose/dist/webapi/lib/invalid_key_input.js

@@ -0,0 +1,27 @@
+function message(msg, actual, ...types) {
+    types = types.filter(Boolean);
+    if (types.length > 2) {
+        const last = types.pop();
+        msg += `one of type ${types.join(', ')}, or ${last}.`;
+    }
+    else if (types.length === 2) {
+        msg += `one of type ${types[0]} or ${types[1]}.`;
+    }
+    else {
+        msg += `of type ${types[0]}.`;
+    }
+    if (actual == null) {
+        msg += ` Received ${actual}`;
+    }
+    else if (typeof actual === 'function' && actual.name) {
+        msg += ` Received function ${actual.name}`;
+    }
+    else if (typeof actual === 'object' && actual != null) {
+        if (actual.constructor?.name) {
+            msg += ` Received an instance of ${actual.constructor.name}`;
+        }
+    }
+    return msg;
+}
+export const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);
+export const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);

package/dist/node_modules/jose/dist/webapi/lib/is_key_like.js

@@ -0,0 +1,17 @@
+export function assertCryptoKey(key) {
+    if (!isCryptoKey(key)) {
+        throw new Error('CryptoKey instance expected');
+    }
+}
+export const isCryptoKey = (key) => {
+    if (key?.[Symbol.toStringTag] === 'CryptoKey')
+        return true;
+    try {
+        return key instanceof CryptoKey;
+    }
+    catch {
+        return false;
+    }
+};
+export const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';
+export const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);

package/dist/node_modules/jose/dist/webapi/lib/jwk_to_key.js

@@ -0,0 +1,107 @@
+import { JOSENotSupported } from '../util/errors.js';
+const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+function subtleMapping(jwk) {
+    let algorithm;
+    let keyUsages;
+    switch (jwk.kty) {
+        case 'AKP': {
+            switch (jwk.alg) {
+                case 'ML-DSA-44':
+                case 'ML-DSA-65':
+                case 'ML-DSA-87':
+                    algorithm = { name: jwk.alg };
+                    keyUsages = jwk.priv ? ['sign'] : ['verify'];
+                    break;
+                default:
+                    throw new JOSENotSupported(unsupportedAlg);
+            }
+            break;
+        }
+        case 'RSA': {
+            switch (jwk.alg) {
+                case 'PS256':
+                case 'PS384':
+                case 'PS512':
+                    algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };
+                    keyUsages = jwk.d ? ['sign'] : ['verify'];
+                    break;
+                case 'RS256':
+                case 'RS384':
+                case 'RS512':
+                    algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };
+                    keyUsages = jwk.d ? ['sign'] : ['verify'];
+                    break;
+                case 'RSA-OAEP':
+                case 'RSA-OAEP-256':
+                case 'RSA-OAEP-384':
+                case 'RSA-OAEP-512':
+                    algorithm = {
+                        name: 'RSA-OAEP',
+                        hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,
+                    };
+                    keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];
+                    break;
+                default:
+                    throw new JOSENotSupported(unsupportedAlg);
+            }
+            break;
+        }
+        case 'EC': {
+            switch (jwk.alg) {
+                case 'ES256':
+                case 'ES384':
+                case 'ES512':
+                    algorithm = {
+                        name: 'ECDSA',
+                        namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],
+                    };
+                    keyUsages = jwk.d ? ['sign'] : ['verify'];
+                    break;
+                case 'ECDH-ES':
+                case 'ECDH-ES+A128KW':
+                case 'ECDH-ES+A192KW':
+                case 'ECDH-ES+A256KW':
+                    algorithm = { name: 'ECDH', namedCurve: jwk.crv };
+                    keyUsages = jwk.d ? ['deriveBits'] : [];
+                    break;
+                default:
+                    throw new JOSENotSupported(unsupportedAlg);
+            }
+            break;
+        }
+        case 'OKP': {
+            switch (jwk.alg) {
+                case 'Ed25519':
+                case 'EdDSA':
+                    algorithm = { name: 'Ed25519' };
+                    keyUsages = jwk.d ? ['sign'] : ['verify'];
+                    break;
+                case 'ECDH-ES':
+                case 'ECDH-ES+A128KW':
+                case 'ECDH-ES+A192KW':
+                case 'ECDH-ES+A256KW':
+                    algorithm = { name: jwk.crv };
+                    keyUsages = jwk.d ? ['deriveBits'] : [];
+                    break;
+                default:
+                    throw new JOSENotSupported(unsupportedAlg);
+            }
+            break;
+        }
+        default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+    }
+    return { algorithm, keyUsages };
+}
+export async function jwkToKey(jwk) {
+    if (!jwk.alg) {
+        throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+    }
+    const { algorithm, keyUsages } = subtleMapping(jwk);
+    const keyData = { ...jwk };
+    if (keyData.kty !== 'AKP') {
+        delete keyData.alg;
+    }
+    delete keyData.use;
+    return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}